Immediate Warning and Notice [Conficker/Downadup Virus]

<font COLOR="darkred" font size="3">VERY IMPORTANT: READ EVERYTHING IN THIS POST.</font>

Detailed in this post is extremely important information regarding your PC's security. Recently, a very potent, and malicious worm [a type of virus] has been discovered. This worm goes by several aliases, including Downadup, Conficker, or Kido; most commonly known as Downadup or Conficker.

This isn't your typical virus or worm. It can mask itself as anything it sees fit, and can go directly into Root directories. Method of infection can be anything from a file you downloaded such as a WMV or MP3 that it has masked itself as, or as sinister as plugging in your USB drive (if it was infected from a public location like the library or school/work) and Windows auto running the device. Disabling AUTO RUN is not effective in stopping Downadup.

You <font COLOR="red">ARE AT RISK</font> if you use Windows XP or Windows Vista, especially if you do not have Auto Updates on, or update frequently via manual updating. Downadup can mask itself and you may not even know you are infected. Once it infiltrates your system, it will edit your Windows Registry. After this is completed, the worm begins to override your firewall settings, allowing it to download malware from any number of hosts. This malware will only increase the damage to the PC. However, the creators of Downadup have yet to activate the second stage of the worm. Once they do, Downadup will do one of two things:

1). It will retrieve all your confidential files, personal information, passwords (online banking especially), and logins and send them to any numbers of hosts.

2). It will combine your PC into its botnet and attempt to hack (by brute force) anything it is targeted to. This is the fear of the Department of Homeland Security. With the current infection rate, it has the capability of hacking some of the most important data centers in the country if given the chance and enough time.

This worm is now being monitored by US-CERT [U.S. Computer Emergency Readiness Team, in conjunction with the Department of Homeland Security] as well as the FBI Cyber Crimes unit. They have moved this into a possible cyberterror attack, and they are quite serious about it. According to newly released figures, 1 in every 12 Windows XP/Vista PCs are infected with Downadup (current estimates are that 23 million PCs are infected)

If you are not concerned about this virus, and do not take efforts to mitigate your risk of infection or to remove the worm if you are already infected, you may not only endanger your PC, but many others. The virus has a very advanced code, and can "mutate" to adapt to threats and increase its potency. The worm will spread from your PC to your friends, and it has a very high potential to destroy your life, enjoyment, and safety on the internet.

Here is information taken directly from Symantec regarding the method of infection of the worm (thanks to Symantec for the info):

http://www.symantec.com/security_res...408-99&tabid=2

<font color="blue">(the threat level is listed as low, because the article is dated from November when the first variations of the worm were spotted. Do not be fooled, it is not a minor threat anymore) </font>

<font color="blue">Symptoms of infection
</font>
* Account lockout policies being reset automatically.
* Certain Microsoft Windows services such as Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender and Error Reporting Services are automatically disabled.
* Domain controllers respond slowly to client requests.
* System network gets unusually congested. This can be checked with network traffic chart on Windows Task Manager.
* On websites related with Antivirus software, Windows system updates cannot be accessed.[15]


<font color="FireBrick"><strong>FOR ADDITIONAL REMOVAL DETAILS, READ THIS ARTICLE IMMEDIATELY:</strong></font>
http://support.microsoft.com/kb/962007

How can you stop this worm from affecting you? Good question, and here are the best methods.

• <font size="2">Update your Windows install immediately. Do it manually. The worm actually disables Auto Updates, so, this will prevent reinfection.</font>
  
• <font size="2">Update your Anti Virus software, and be sure you are using a good antiviral software. Do this manually as well.</font>
  
• <font size="2">Run a </font><font color="red">FULL SYSTEM SCAN </font><font size="2">on your PC after updating your Anti Virus software library. </font>
  
• <font size="2">Disable System Restore (Windows XP users)</font> NOTE: Renable System Restore after testing and ensuring you are virus free!! Very important.
• To do this follow these steps:

1. Click Start, right-click My Computer, and then click Properties.
2. In the System Properties dialog box, click the System Restore tab.
3. Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box.
4. Click OK.
5. When you receive the following message, click Yes to confirm that you want to turn off System Restore:You have chosen to turn off System Restore. If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer.
   
   Do you want to turn off System Restore?
   After a few moments, the System Properties dialog box closes.

You can also check your registry for the worm's entries:

1. Click Start > Run.
2. Type regedit
3. Click OK.
4. Navigate to and delete the following registry entry:
   
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\netsvcs\Parameters\"ServiceDll" = "[PATH OF WORM EXECUTABLE]" <font color="FireBrick">Keep in mind, the ServiceDll will be a randomly generated Dll file, such as fjfghw.dll or wehjvy.dll, etc etc. You need to read the article above for more details on this.</font>
   
   
5. Exit the Registry Editor

Just because you do not have the registry key above, doesn't mean you are not infected. Keep that in mind. It may just not have reached that stage yet. You still need to do a FULL DEEP SCAN of your computer, including all your hard drives and your USB media.F-Secure has developed a tool to remove Downadup, but the above should also be used in conjunction with the tool. There is no one thing that makes you secure. It is using your logic, a good software suite, and even a router firewall to protect yourself.

HERE IS THE REMOVAL TOOL FROM F-SECURE

For additional reading see these articles or Google search "Downadup" or "Conficker":

http://www.pcworld.com/businesscente...ry_16_pcs.html

http://www.computerworld.com/action/...leId=9126 478


We at Guild Wars Guru take your PC security seriously, and this warning is not intended to scare you, but make you knowledgeable about a very serious situation. I am taking personal responsibility to inform as many guru users of this threat as possible. I would encourage you to inform your family and friends of this threat, and to direct them in testing and removing if necessary, Downadup from their systems and home networks.

Oh wow, thanks for the heads up; I have a feeling my friend's computer is infected with this.. gotta break the new to him :S

Well at least I'm safe...

Thank you very much for the heads up. I am currently doing full scans on my PC and notifying any friends or family who are in danger.

I tried to check my registry for the worm's entries, but I was only able to get up to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\. I could not find the netsvcs to continue on to Parameters\"ServiceDll" = "[PATH OF WORM EXECUTABLE]".

What does that mean?

I used the removal tool that F-Secure has developed to remove Downadup in conjunction with the above. It says that everything is clean and that no infections were found and removed.

Same for me, and my bro. Looks like a good thing

And guys, make sure you enable scan hidden and system folders on your virus scans! deep scan, not the skimpy surface scan that is default

This worm exploits the Windows MS08-067 service vulnerability, a patch for which was released last October 15, 2008 by Microsoft to fix the bug. The real problem is that way too many users aren't smart enough to protect their computer. Remember the big scare over the Blaster and Sasser viruses? Well it's the same situation. Anyone who keeps their computer updated is immune, but 30% of users either don't bother, or don't know how to use Windows Update.

If you don't have the entry, that means you either....

A). Are not infected

B). The worm has not reached that stage yet.

You still, absolutely (I cannot stress this enough) need to do a FULL DEEP SCAN of your PC, including active memory (if possible), and ALL your hard disk drives (and all partitions on them) Obviously, make sure you update your AV before doing the scan. Do your Windows updates as well, and if Auto Updates is off, I would highly recommend enabling it. It can prevent this type of stuff from happening.

While this is partially true, it is not the whole story. MS08-067 patched the Ethernet vulnerability, not the download vulnerability. You can still easily get infected by downloading from a compromised source (any of the businesses or corporations infected currently). In addition, many public venues and businesses/corporations do not frequently update their networks with updates as home users do, so this is hitting them hardest. However, if Downadup can get into their upload content servers, that would be a disaster (and is exactly how it is spreading to the already updated home users). It is also rapidly spreading through USB drives, hopping from place to place hiding itself in the root of the drive.

Sasser was weak compared to Downadup, just as Blaster was (though different with Blaster). Downadup has a very adaptive code, and is almost impossible to track to its creators. That is what makes it exceeding dangerous when compared to Sasser (Blaster was approx the same threat level)

Full scan with Avira resulted only in a false positive for a completely different "threat."

Question: What measures can be taken for a system with Win 98? I'm tech support for my mom's old laptop. It sees little use, and she still has dial-up. Save the speech on Win 98's other vulnerabilities. Software firewall and anti virus are installed and updated.

Checked the registry path, and couldn't find it where you said. I found it somewhere else though, in netprofm>parameters instead. I'm running the Windows 7 Beta atm, dunno if that has anything to say. Should I delete the ServiceDll in there instead?

No clue, not even sure Downadup will have a chance to infect it. Win 98 is old as snot now. Google to be sure, but I have a hunch it isn't at risk (hackers don't create virii to infect old, outdated systems)

No, Win7 is in beta, and I believe unaffected by this. Again, this relates to the above, except instead of being old and gone, it is new and not around yet. Besides, that is a totally different registry key. So, leave it be.

Will do then:P

From the Symantec article:

I'll look into it, then. Primary focus on prevention.

Option D - Can't complete scan because my system is so unstable

*Heads to new thread*

Think it's unlikely that I've got it, though - Windows Update is still updating and NOD32 updated this morning too. Also, don't have that registry item.

[edit]Full, deep scan completed - nothing found

what about avg? I have that on my two computers---and they run every single morning (and outside of my favorite false trojan from texmod--there is nothing to report)....?

AVG has fallen out of favor lately, Cosy.

Try Avira for a free one or NOD32 if you don't mind paying.

See Tarun's security thread - http://www.guildwarsguru.com/forum/s...php?t=10302726

Checked registry, dont seem to have that item, did a deep scan and didnt find anything. Thanks for the warning, i'll be paying attention more often now, espeially since i use my PC on a university connection sometimes

I had this virus on my XP-System December 17th last year and I remember the hassle getting rid of this little sucker. Avira detected it immediately, but could not do anything about it. Shortly after I finally was able to delete it (disabling System-Restore etc.) Microsoft released a bunch of emergency security-updates.

My PC was safe after that, and I have not had any security issues since then. I always do regular updates for both windows and avira.

thanks snog but I paid for 2 years for avg and still have about 20 months left of that....

however, I RARELY download anything (I dont even have email on this computer!)...so not too worried (and no, I am female so none of that p0rn stuff here )

and checking the registry got me to the same thing--no netserv thing either.
(will check the other computer later as its running its daily scan right now---takes it some time as its 'older').

I highly doubt that I'd get the worm due to the way that I use my computer (never ever DL things, barely even surf the net), and I definitely don't plug in any external storage drives (no need to) so yeah.

Though, my brothers do dumb things, so the chance that something could spread through my home network via my Router could still be a risk to me, but I'm not sure. Is there an option for my router that I could disable to prevent this?

thanks for the heads. after scanning i found that i was clean.

and lol i watched tremors last nigth

although i have been reliably informed that its not that type of worm!

<s>Hmm, i had the registery entry, and deleted it. Does this mean its gone?</s>
nvm on that, deleted something else that was familiar looking :P

I also ran nod32 and the f-downadup program ran, and it didnt find anything, so i guess im clean.

EDIT: F-Downadup Note: Computers infected by Downadup are blocked from reaching f-secure.com websites.

just saw that on their site, was able to reach it fine so probably im just clean

Thanks for warning us, Rahja. No registry entry here, but I'm installing Avira at this moment and will perform a deep scan.

Results came up with a minor Trojan, other than that, I'm clear.

Recently formatted because of other Trojans I had, and this time instead of installing AVG, (seeing as it let me down), my PC Driver CD came with Kaspersky, and that's registered until April.

Wondering, is Kaspersky strong enough to detect/remove these? It's Deep scanning as we speak, but i'll change it out if it's not a strong option.

Thanks for the heads up, one question though. Why do we need to disable System Restore ? All ways seemed like a handy idea to keep it turned on. Thanks.

System Restore saves the trojan/worm/virus also. So it is still there after removal from current system.

Thanks for the heads-up. I was clean today, but will keep a watch for it.

I have avast and Spybot S&D. I didn't run my spyware detector yet (I will tonight, though), but I did a boot scan of my computer overnight, and the scan didn't seem to have found anything, which is a good thing I guess.

On another note, I have been keeping up with the updates, and I'm currently under a fresh (installed just last night) installation of Windows XP Professional.

I will keep my system updated regularly, too.

Updated MS08-067 Oct. last year and expected no problems. Ran full systems scan anyways, nothing found. Ran Symantec's removal tool, nothing found to remove.

tnx for heads up nevertheless

Hey guys.
I just went to try and update my pc (im on vista, so the things gotta search for updates before it can do anything) and i got this error:

Code 8000FFFF: Windows Update a rencontré une erreur inconnue.

Have had no trouble with this until now.
Web search has come up with nothing, and im not a PC wizz so i was wondering whether you guys knew whats going on/if this is possibly the worm?

Slightly worried, but im scanning and McAfee hasnt had any problems updating (i did it manually) and is scanning away now.

Any ideas how to fix this would be brilliant, it was fine till now and it says last update was onnnn the 17th.

Thanks

~Lies

EDIT: Researched and got quite a bit, but nothing ive trieds worked so far :s
And i forgot i was on a french PC and this is an english forum...
Translation: Code 8000FFFF: Windows Update has encountered an unknown error.

Thanks again.
~Lies

Thanks Rahja! Ran a full system scan like suggested, just to be sure. Clean as a whistle!

According to the poll you have helped save two computers with this information (so far),- got to feel good about that!

i wonder if this applies to the win 7 beta also...

This is the virus that crashed the hell out of my laptop, somehow we got it fixed but now my laptop is bluescreening

http://www.cnn.com/2009/TECH/ptech/0...ref=newssearch

So... I'm a little confused. I read this article a week ago that states the downadup worm is engineered to spread through corporate networks and, for that reason, corporate networked computers are more at risk than home computers.

The means of infection through networked computers described in the article seems different than the means of infection you describe, and it appears from this article that corporate networks are indeed in deep doodoo where this worm is concerned and that it spreads through corporate networks is the reason for the rapid rate of spread and concern to Homeland Security.

But I can see how it might be easy to bring the worm home from work on a flash drive. What I don't see is how this is any more damaging to our home systems than any other worm or virus we can contract. I'm sure there's a lot more information out there about it that I can research when I have the time, but in the meantime I'd love if you'd explain.

Btw, I did a manual scan on my work computer immediately after reading this article and then on my home computer as well. I think I'll do another on my work computer as soon as I finish this post *shivers*

Thanks!

Scanning as we speak , searched for the registry but couldn't find it. Thanks for the heads up Rahja

Rather than explain it in detail, I will just give you a quick example with an exclaimer.

Many businesses do not frequently update their network with Windows Updates as they should, because it does require a substantial investment in time and resources. They have to bring down the network, test the updates, make the updates live, and bring back up the network. It can take several hours, which at a corporation, is bad news. This is still no excuse though, so don't take it that way.

But, say for example, CNET became infected (not saying they are). The virus could, in fact, spread to their content upload servers, that you download things from. You go to CNET and download, say, Spybot or AdAware etc. Now, you go to install the program, but little do you know, the sneaky little Downadup has already gone and imbeded itself in their uploads, because it infected their network previously, and spread like wildfire. Again, just a hypothetical example.

The point is, this thing is hitting corporations more and more, which endangers home users that are the least bit lax on security. Those who run a good security suite and are concious of their actions on the net have far less to worry about (though it doesn't mean you still can't get it)

Let's also have a look at the pole results so far. Based on 44 people voting, 2 were infected and removed the worm.

That being said, that means by our numbers, 1 in every 22 PCs are infected. Now, Guru users are, for the most part, computer literate and know basic internet etiquite. This pretty much falls in line with the estimates coming in from around the world placing it at 1 in every 14-16 PCs. Standard, computer illiterate users are many times more likely to be infected than most of us. Keep that in mind. The results speak for themselves.

*is running a thorough scan on Avast at this moment*

I can access F-Secure.com, so I think I'm good... right? o0

How do you disable System Restore if you have Vista? Also, I was looking in my Registry, and I couldn't find netsvcs. Is that ok? Or should I be worried?

No, if you don't have the registry entry, that is a GOOD THING. Still, do your scans and be extra cautious of who/where you download from.

1: Open up "Control Panel" and navigate your way to "Programs and Features".

2: Click "View installed updates" on the left hand side.

3: Find the update KB929777 and uninstall it.

4: Attempt to install the update again in Windows Update

5: Once successful, restart your PC.

Alternatively

1: Launch REGEDIT

2: Go into HKLM\COMPONENTS, and check if these three values exist under the COMPONENTS key:

PendingXmldentifier
NextQueueEntryIndex
AdvancedInstallersNeedResolving

3: Providing they do exist, back up the Components key, then delete the three above values.
4: Restart the computer, and Windows Update should now be working fine.

After running the spyware scan, I found 11 entries, but I easily removed them.

I was not infected with the virus (as I said, I do have a fresh install of XP Pro (love that Pro!)).

Thanks for the heads up; I will spread the word.

Ok I use McAfee and don't see a deep scan button so I'm just wondering if these settings are fine:


Also, is McAfee good enough to spot it and remove it if it's there? I'm currently scanning at the moment so I don't know how it'll end.

Additionally, how true is it that if you can reach f-secure.com that you're safe? I have 3 laptops that all could reach it, but I want to be sure.